diff options
| author | uvok cheetah | 2025-01-11 13:50:37 +0100 |
|---|---|---|
| committer | uvok cheetah | 2025-01-11 13:50:37 +0100 |
| commit | fd5bbe2a44de2da54b7a25e99c2380507a43eb21 (patch) | |
| tree | 11eef5fac5d49eb5a814aedf9005689ae560103d | |
| parent | 6413c995ec300c4dca7fc2cec5a0da518aa30eb5 (diff) | |
Formatting., github issues
| -rw-r--r-- | _drafts/migrating-dns-servers.md | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/_drafts/migrating-dns-servers.md b/_drafts/migrating-dns-servers.md index 246128f..60aff4a 100644 --- a/_drafts/migrating-dns-servers.md +++ b/_drafts/migrating-dns-servers.md @@ -102,18 +102,18 @@ other TLDs and other registrars. 1. Download the zone data from the INWX web interface 1. Create the zone in PowerDNS and set various settings - #!/bin/bash - zone="example.com" - pdnsutil create-zone $zone - pdnsutil set-kind $zone primary - pdnsutil secure-zone $zone - pdnsutil set-presigned $zone - pdnsutil set-meta $zone ALLOW-AXFR-FROM <ip of secondaries> + #!/bin/bash + zone="example.com" + pdnsutil create-zone $zone + pdnsutil set-kind $zone primary + pdnsutil secure-zone $zone + pdnsutil set-presigned $zone + pdnsutil set-meta $zone ALLOW-AXFR-FROM <ip of secondaries> 1. Filter and import the zone. PowerDNS will actually complain about the NSEC3 records otherwise once you open the zone in your editor. - grep -vw "IN NSEC3" ./dl-zone.txt > imp-zone.txt - pdnsutil load-zone $zone ./imp-zone.txt + grep -vw "IN NSEC3" ./dl-zone.txt > imp-zone.txt + pdnsutil load-zone $zone ./imp-zone.txt This should keep the RRSIGs for the NSEC3 records. This doesn't help with the errors I receive later, though… @@ -162,10 +162,11 @@ other TLDs and other registrars. PowerDNS can't sign the reply, because it doesn't have the keys to sign the NSEC3 replies (??? I guess ???). So now, instead of sending back an unsigned reply, it sends back an error. + I imported the RRSIGs for these NSEC3 records, though, at least in a second attempt. I tried all combinations of (set-nsec3|unset-nsec3) and (import NSEC3-RRSIG|don't import NSEC3-RRSIG). All variants failed. I have no clue - how this is supposed to work cleanly. + how this is supposed to work cleanly. [^7] 1. Wait at least 24 hours (TTLs, DNS propagation time). \ *I am currently at this step. Further steps are guesswork*. @@ -222,6 +223,11 @@ headache for me. [^6]: such as duplicate RRSIG replies. +[^7]: + There are two GitHub issues similar to this: + [#9263](https://github.com/PowerDNS/pdns/issues/9263) and + [#8892](https://github.com/PowerDNS/pdns/issues/8892) + <!-- vim: set ft=markdown tw=80 ai tabstop=4 shiftwidth=4 expandtab: --> |